Re: [RFC] linux-2.6.10-auditfs-tc1.patch

From: "Timothy R. Chavez" <chavezt gmail com>

To: Linux Audit Discussion <linux-audit redhat com>

Subject: Re: [RFC] linux-2.6.10-auditfs-tc1.patch

Date: Thu, 20 Jan 2005 09:47:11 -0600

On Thu, 20 Jan 2005 13:32:27 +0000, David Woodhouse <dwmw2 infradead org> wrote:
> Can we make the i_audit field in struct inode dependent on
> CONFIG_AUDITFILESYSTEM?
Sure, I'm glad you pointed that out.
>
> As I understand it, this watches only extant inodes. You can't watch for
> attempts to read or create a non-existent file. Is that functionality
> not required?
I'm fairly sure that for CAPP, this capability is not required.
Granted, it would be useful for other types of auditing.
I'll test this when I get into work to make sure, but I believe that
this is kind of supported in the case where we try to <access> a file
that exists, but we don't have <access> too. We'll get a record for
the syscall and for the file (sharing the same serial number) and in
the record for the syscall, we should see the error code as its return
value right?
To log accesses on non-existent files, it'd probably be sufficient to
hook d_lookup. At that point I have my parent dentry/inode and know
my name. I can simply check to see if its being watched or not and if
it is, record the attempt.
> I'll refrain from heckling about locking since you mentioned it
> yourself :)
Thanks :-)
> --
> dwmw2
>
>
--
- Timothy R. Chavez